New Exploit/Virus

[Bryan Martin]

Windows 2k Advanced server SP4 with updates current.
SQL Service SP1 8.00.760
IIS5 with all updates applied. NOT running FTP
DNS/DHCP/WINS

Newly commissioned (about 2 weeks) windows box that sits ahead of DMZ behind
a time warner cable modem. No user interaction whats so ever. Box simply
serves DHCP/WINS/DNS and a website. No users logs onto this box and the box
has not been logged into within the last week. On 1/27/04 network slowed
with traffic pointing to this box. You can see by the screenshot within a
terminal service connection
(http://www.myplaceinspace.com/virus/VirusScreenshot.gif) that outbound was
pegged (for a cable modem) at 309.8kbps. Only connections into the box were
the *.dip.t-dialin.net connections. These connections are running under
sqlsrv32.exe with the virus actually masking itself as the "msiexec16.exe"
file you see later down the list on port 60090. You can see what files I
could find that were new on the system
(http://http://www.myplaceinspace.com/virus/) starting at the winnt
directory and files into the system32 directory also. As do most viruses a
reg keys were entered
HKLM->SOFTWARE->->Microsoft->Windows->CurrentVersion->Run to automatically
run the msiexec16.exe file and also a key was entered at
HKLM->SOFTWARE->->Microsoft->Windows->CurrentVersion->RunServices to do the
same. IIS log files were checked with no mention of this file being
uploaded. I attempted to trap communications from that program but when I
did the msiexec16.exe switched ports to 60089. Any ideas?

Bryan Martin
A&H Wayside
336-342-0717 ext.18

 

[Bryan Martin]

Oh and I forgot to mention this box is running Norton AV corp edition with
60126x dats from 1/26/04. Full system scan gives nothing as does manual
scan of infected files.

 

[Tim Newton [MSFT]]

Msiexec16.exe is part of the Troj/OptixP-13 Trojan. Google has information
on how to clean it out, I am not sure why your AV software is not catching
it.

--
Tim Newton [MSFT]
(e-mail address removed)

Search our Knowledge Base at http://support.microsoft.com/directory
Visit the Windows 2000 Homepage at
http://www.microsoft.com/windows2000/default.asp
See the Windows NT Homepage at http://www.microsoft.com/ntserver/

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The views and opinions
expressed in this newsgroup posting are mine and do not necessarily express
or reflect the views and / or opinions of Microsoft.

 

[Bryan Martin]

It appears to be similar to that virus but its got to be a variant because
all signs were not there and also I have other signs that are not in desc of
virus. Any ideas how this occured on a newly commission box. No email is
installed/setup on this machine and no interaction.

Msiexec16.exe is part of the Troj/OptixP-13 Trojan. Google has information
on how to clean it out, I am not sure why your AV software is not catching
it.

--
Tim Newton [MSFT]
(e-mail address removed)

Search our Knowledge Base at http://support.microsoft.com/directory
Visit the Windows 2000 Homepage at
http://www.microsoft.com/windows2000/default.asp
See the Windows NT Homepage at http://www.microsoft.com/ntserver/

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The views and opinions
expressed in this newsgroup posting are mine and do not necessarily express
or reflect the views and / or opinions of Microsoft.

Windows 2k Advanced server SP4 with updates current.
SQL Service SP1 8.00.760
IIS5 with all updates applied. NOT running FTP
DNS/DHCP/WINS

Newly commissioned (about 2 weeks) windows box that sits ahead of DMZ behind
a time warner cable modem. No user interaction whats so ever. Box simply
serves DHCP/WINS/DNS and a website. No users logs onto this box and the box
has not been logged into within the last week. On 1/27/04 network slowed
with traffic pointing to this box. You can see by the screenshot within a
terminal service connection
(http://www.myplaceinspace.com/virus/VirusScreenshot.gif) that outbound was
pegged (for a cable modem) at 309.8kbps. Only connections into the box were
the *.dip.t-dialin.net connections. These connections are running under
sqlsrv32.exe with the virus actually masking itself as the "msiexec16.exe"
file you see later down the list on port 60090. You can see what files I
could find that were new on the system
(http://http://www.myplaceinspace.com/virus/) starting at the winnt
directory and files into the system32 directory also. As do most

viruses

a
reg keys were entered
HKLM->SOFTWARE->->Microsoft->Windows->CurrentVersion->Run to automatically
run the msiexec16.exe file and also a key was entered at
HKLM->SOFTWARE->->Microsoft->Windows->CurrentVersion->RunServices to do the
same. IIS log files were checked with no mention of this file being
uploaded. I attempted to trap communications from that program but when I
did the msiexec16.exe switched ports to 60089. Any ideas?

Bryan Martin
A&H Wayside
336-342-0717 ext.18